Enhancing Web Security with U2F Authentication
Explore the innovative FIDO U2F technology, a robust authentication solution for the web that addresses common password vulnerabilities. Learn how U2F works, its benefits for users, service providers, and device vendors, and its user-friendly implementation across various devices. Discover why U2F offers a secure, phishing-resistant alternative to traditional password methods.
- Web Security
- U2F Authentication
- Password Vulnerabilities
- Authentication Technology
- Phishing Prevention
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
FIDO U2F Universal 2nd Factor open standard strong authentication for the web
Presentation Structure U2F Overview o Problem being solved o Value to the end user o Value to the Service Provider (RP) o Value to the device vendor, integration vendor How U2F works o Protocol design considerations o U2F Spec layers o More use cases o Current Status The larger view o UAF + U2F as a complementary whole Working Group Logistics o Meeting schedule, communication etc
Web passwords are broken REUSED PHISHED KEYLOGGED
Today's solution: One time codes: SMS or Device SMS USABILITY DEVICE USABILITY Coverage Issues - Delay - User Cost One Per Site - Expensive - Fragile USER EXPERIENCE PHISHABLE German Police re: iTan: ".. we still lose money" Users find it hard
The U2F Solution: How it works One device, many services Easy: Press button Safe: Un-phishable Security
Simple for Users 1 2 3 Userid & Password Present U2F device. Successful Sign in Presenting a U2F device over various transports: For USB U2F device = Insert and press button For NFC U2F device = tap For Bluetooth U2F device = press button For built-in onboard U2F device = button or equiv. UI gesture
User self-registration 1 Userid & Password 2 Present U2F device 3 Backup Options 4 Registration Done
Usage on Mobiles Tomorrow Use NFC, Bluetooth or on-board U2F capability. Today Use your computer to bless your mobile (one time action)
Small, Reliable, Secure Battery-less options Robust Strong Client Side Security
U2F Protocol Core idea: Standard public key cryptography: User's device mints new key pair, gives public key to server Server asks user's device to sign data to verify the user. One device, many services, "bring your own device" enabled Lots of refinement for this to be consumer facing: Privacy: Site Specific Keys, No unique ID per device Security: No phishing, man-in-the-middles Trust: Verify who made the device Pragmatics: Affordable today, ride hardware cost curve down Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-imagined for modern consumer web"
Under the hood U2F spec layers o Common Crypto Layer Spec o Transport Layer Specs: User device <-> u2f device First transport spec: Driverless USB Immediate followons: NFC, Bluetooth, on-board Direct Access from Browser: o No client middleware to install o Simple Javascript API: 'Create Key Pair' and 'Sign' o Not just tied to login! Use anytime you want to strongly verify user. o Following phase: Native OS APIs UI seen by user completely under server control Easy server side integration
Open Ecosystem CONSULTING BROWSER SUPPORT OPEN FIDO ALLIANCEU2F WORKING GROUP MOBILE OS SUPPORT MANY DEVICES & FORM FACTORS ADOPTION
U2F: Univ. 2nd Factor: In a nutshell User has 2nd factor strong auth. device o Works with any service which supports it o Mental model "Like a key on your chain, a card in your wallet" For the user: Easy Secure Login o One device, Many services o Simple UX - press button or tap, no software install o Passwords can be made simple -- 4 digit pins like ATM? For the web site (RP): Open Strong Security o Open: Not proprietary, multiple vendors, no central service required o Self provisioned: No pre-seeding req, "Bring your own token" possible o Strong Security: Non-Phishable, Blocks most practical MITMs o Strong Privacy: One site cannot use credential given to another
Other usage models beyond "One key you carry" 1. Token for home machine o husband and wife share o husband for Sites A and B, wife for Sites C and D 2. One token at home, one token at work o User provisions both for paypal, can pay from either place 3. One token plugged in at home, one token to carry o Convenience, home computer always ready to go 4. One (tiny) token plugged permanently into work laptop o Laptop becomes the 2nd factor (maybe built into next-gen laptops?) 5. Husband/wife, separate tokens, o Each activates own key, protocol has no problem with multiple keys 6. One account, multiple users, each with own token o Small business users share an account with strong auth 7. Account lockdown to a single device o Only one token, permanently with office machine 8. Same token for work account and personal account Work (= enterprise) leverages user's "bring your own token"
Current U2F Status o Targeting Review Draft Spec: Dec 2013 Crypto Layer Spec Transport layer Spec: USB o Ongoing work on on other transports NFC, Bluetooth LE, Onboard on Android. o Working-Draft Protocol Version implemented Multiple interoperable servers from members One token implementation availablle Other token implementations actively planned Google deployed in-house for employees
How they fit: UAF + U2F UAF = Universal Authentication Framework o Larger View, password less, local device auth for sign = OSTP U2F = Universal 2nd Factor o Critical bridge to future, "classic" 2-factor, incremental change for RP o Service (RP) password still present, but can be simple (4 digit PIN?) How do they fit together? Message to Service Provider (RP): o At registration: Discover user has FIDO UAF enabled device? Register that for passwordless experience o Else offer user FIDO U2F token in a browser. Self-register for simple password 2 factor experience o At login: User has FIDO UAF enabled device + UAF registration? Exercise UAF experience o Else user has U2F registration? Exerciser U2F login experience. Some RPs may want to offer only UAF, some only U2F That's no problem, FIDO is all about the right choice for RP and user
Working Group Logistics Weekly Thursday 1030am-1130am Pacfic Primary meeting by telephone bridge Active ongoing discussion by email